CVE-2018-25429

An authenticated attacker can exploit this vulnerability by sending a crafted GET request to the zpro.php script. By injecting SQL code into the `zProIdPro` parameter, the attacker can manipulate database queries. This allows for the extraction of sensitive information such as usernames, database names, and version details [ref_id=1]. The exploit targets the `zProAction=M` endpoint to trigger the vulnerable code path [ref_id=1].

The vulnerability exists in the zpro.php script, specifically when handling the `zProIdPro` parameter. The provided reference indicates that the `zProAction=M` parameter is used in conjunction with the vulnerable `zProIdPro` parameter to execute arbitrary SQL queries [ref_id=1].

The provided bundle does not contain information about a patch or specific remediation steps. Therefore, the advisory does not specify how the vulnerability is fixed. Users are advised to consult vendor advisories for the latest security updates and patches.

1. Send a GET request to `/[PATH]/html/zpro.php?zProAction=M&zProIdPro=-2' UNION ALL SELECT 1,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),3,4,5,6,7,8,9,10-- -` [ref_id=1]. 2. Observe the response for extracted database information.